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CLAIMS 

1 . A method for generating lookup tables and a final equivalence set for use in clas- 
sifying a network packet in accordance with a policy that specifies one or more classes, 
each class containing one or more match statements, the match statements being one of a 
stand-alone matching rule and a matching rule in an access control list (ACL) defining 
one or more matching rules, the method comprising the steps of: 

generating a super class that contains all of the matching rules associated with the 
classes specified by the policy; and 

converting the matching rules of the super class into a single, hierarchical ar- 
rangement of lookup tables and associated equivalence sets, the hierarchical arrangement 
having a plurality of levels including a first level and a final level, the final equivalence 
set being associated with the final level. 

2. The method of claim 1 wherein the step of generating a super class comprises the 
step of: 

saving class information associated with each class. 

3. The method of claim 2 wherein the class information includes for each class: 
a class name that identifies the class; 

a class criterion associated with the class; and 

a bitmap representing the matching rules associated with the class. 

4. The method of claim 1 wherein the network packet is organized into a plurality of 
sections and the step of converting comprises the steps of: 

generating a first-level lookup table and a first-level equivalence set for each net- 
work packet section using the matching rules of the super class; 

merging the first-level equivalence sets to produce one or more next-level lookup 
tables and next-level equivalence sets; and 
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merging the equivalence sets for each level to produce one or more next-level 
lookup tables and next-level equivalence sets until the lookup table associated with final 
level is produced. 

5 . The method of claim 4 wherein each network packet section is associated with a 
value and the step of generating the first-level lookup tables and first-level equivalence 
sets comprises the steps of: 

creating a bitmap that represents the matching rules associated with a respective 
network packet section's value; 

determining if the bitmap matches an entry in the first-level equivalence set and, 
if so, assigning an equivalence set index value associated with the matching entry to the 
bitmap, otherwise, assigning a new equivalence set index value to the bitmap and placing 
the bitmap in the equivalence set; and 

associating the equivalence set index value with the first-level lookup table entry 
associated with the respective network packet section's value. 

6. The method of claim 4 wherein the step of merging the equivalence sets for each 
level to produce one or more next-level lookup tables and next-level equivalence sets, 
comprises the steps of: 

a) calculating the cross-product of a first bitmap associated with a first equiva- 
lence set and a second bitmap associated with a second equivalence set to produce a third 
bitmap; 

b) determining if the third bitmap matches an entry in the next-level equivalence 
set and, if so, assigning an equivalence set index value associated with the matching entry 
to the third bitmap, otherwise, assigning a new equivalence set index value to the third 
bitmap and placing the third bitmap in the equivalence set; 

c) associating a next-level lookup table entry with the equivalence set index value; 

and 

d) repeating steps a through c for all entries in the first equivalence set and all the 
entries in the second equivalence set. 
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7. The method of claim 1 further comprising the step of: 

associating each entry in the final equivalence set with one or more classes. 

8. The method of claim 1 further comprising the step of: 

transferring the lookup tables and final equivalence set to a network device that 
performs packet classification. 

9. A method for generating lookup tables, a final equivalence set and a results table 
for use in classifying a network packet in accordance with one or more match statements, 
the match statements being one of a stand-alone matching rule and a matching rule in an 
access control list (ACL) defining one or more matching rules, the method comprising 
the steps of: 

generating a super class that contains all of the matching rules; 

converting the matching rules of the super class into a single, hierarchical ar- 
rangement of lookup tables and equivalence sets, the hierarchical arrangement having a 
plurality of levels including a first level and a final level, the final equivalence set being 
associated with the equivalence set of the final level; and 

generating the results table from the entries in the final equivalence set. 

10. The method of claim 9 wherein each entry in the final equivalence set is associ- 
ated with an equivalence set index value and the step of generating the results table from 
the entries in the final equivalence set, comprises the step of: 

associating the equivalence set index value with a result associated with the 

packet. 

1 1 . The method of claim 9 further comprising the step of: 

transferring the lookup tables and final equivalence set to a network device that 
performs packet classification. 

12. A method for classifying a network packet in accordance with a policy that speci- 
fies one or more classes, each class containing one or more match statements, the match 
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3 statements being one of a stand-alone matching rule and a matching rule in an access 

4 control list (ACL) defining one or more matching rules, the method comprising the steps 

5 of: 

6 generating a super class that contains all of the matching rules; 

7 saving class information associated with each class; 

1 converting the matching rules of the super class into a single, hierarchical ar- 

2 rangement of lookup tables and associated equivalence sets, the hierarchical arrangement 

3 having a plurality of levels including a first level and a final level, a final equivalence set 

4 being associated with the final level; 

5 applying the network packet to the lookup tables to generate an outcome index; 
Q 6 applying the outcome index to the final equivalence set to generate a bitmap 

7 value; and 

SO 8 associating the bitmap value with the saved class information to determine one or 

j° 9 more classes associated with the network packet. 



til i 1 3 . The method of claim 1 2 further comprising the step of: 

m 2 dividing the network packet into a plurality of sections. 



1 14. A method for classifying a network packet in accordance with one or more match 

2 statements, the match statements being one of a stand-alone matching rule and a match- 

3 ing rule in an access control list (ACL) defining a plurality of matching rules, the method 

4 comprising the steps of: 

5 generating a super class that contains all of the matching rules; 

6 converting the matching rules of the super class into a single, hierarchical ar- 

7 rangement of lookup tables, the hierarchical arrangement having a plurality of levels in- 

8 eluding a first level and a final level, a final equivalence set being associated with the fi- 

9 nal level; 

10 generating a results table from entries in the final equivalence set; 

1 1 applying the network packet to the lookup tables to generate an outcome index; 

12 and 
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13 applying the outcome index to the results table to determine a result that applies to 

14 the network packet. 

1 15. The method of claim 14 wherein the result is a pointer to a class associated with 

2 the network packet. 

1 1 6. The method of claim 14 wherein the result is a pointer to a matching rule associ- 

2 ated with the network packet. 

l 17. The method of claim 14 further comprising the step of: 



Q 2 dividing the network packet into a plurality of sections. 



1 18. An apparatus for generating lookup tables and a final equivalence set for use in 

2 classifying a network packet in accordance with a policy having one or more classes, 

3 each class containing one or more match statements, the match statements being one of a 

4 stand-alone matching rule and a matching rule in an access control list (ACL) defining 

5 one or more matching rules, comprising: 

6 a processor; 

7 a memory coupled to the processor; and 

8 means for generating a super class that contains all of the matching rules associ- 

9 ated with the classes; 

10 whereby the processor is configured to a) convert the matching rules of the super 
n class into a single, hierarchical arrangement of lookup tables and equivalence sets, the 

12 hierarchical arrangement having a plurality of levels including a first level and a final 

13 level, the final equivalence set being associated with the final level and b) place the 

14 lookup tables and final equivalence set in the memory. 

1 19. The apparatus of claim 18 further comprising: 

2 a content-addressable memory (CAM); 

3 whereby the processor is configured to place the lookup tables in the CAM. 



26 

H:\l 12\025\0489\PROSECUT\0489.doc 02/08/02 12:37 PM 



PATENT 
112025-0489 

1 20. An apparatus for generating lookup tables, a final equivalence set and a results 

2 table for use in classifying a network packet in accordance with one or more match 

3 statements, the match statements being one of a stand-alone matching rule and a match- 

4 ing rale in an access control list (ACL) defining a plurality of matching rules, compris- 

5 ing: 

6 a processor; 

7 a memory coupled to the processor; and 

8 means for generating a super class that contains all of the matching rules; 

9 whereby the processor is configured to a) convert the matching rules of the super 

10 class into a single, hierarchical arrangement of lookup tables and equivalence sets, the 

1 1 hierarchical arrangement having a plurality of levels including a first level and a final 

12 level, the final equivalence set being associated with the final level, b) place the lookup 

13 tables and final equivalence set in the memory, and c) generate the results table from en- 

14 tries in the final equivalence set. 



1 21. The apparatus of claim 20 further comprising: 

2 a content-addressable memory (CAM); 

3 whereby the processor is configured to place the lookup tables in the CAM. 

1 22. A network device for classifying a network packet in accordance with a policy 

2 having one or more classes, each class containing one or more match statements, the 

3 match statements being one of a stand-alone matching rule and a matching rule in an ac- 

4 cess control list (ACL) defining a plurality of matching rules, the network device com- 

5 prising: 

6 means for generating a super class that contains all of the matching rules associ- 

7 ated with the classes; 

8 means for saving class information associated with each class; 

9 means for converting the matching rules of the super class into a single, hierarchi- 

10 cal arrangement of lookup tables and equivalence sets, the hierarchical arrangement hav- 
n ing a plurality of levels including a first level and a final level, a final equivalence set 

12 being associated with the final level; 
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means for applying the network packet to the lookup tables to generate an out- 
come index; 

means for applying the outcome index to the final equivalence set to generate a 
bitmap value; and 

means for associating the bitmap value with the saved class information to deter- 
mine one or more classes associated with the network packet. 

23 . A network device for classifying a network packet in accordance with one or 
more match statements, the match statements being one of a stand-alone matching rule 
and a matching rule in an access control list (ACL) defining a plurality of matching rules, 
the network device comprising: 

means for generating a super class that contains all of the matching rules; 

means for converting the matching rules of the super class into a single, hierarchi- 
cal arrangement of lookup tables and equivalence sets, the hierarchical arrangement hav- 
ing a plurality of levels including a first level and a final level, a final equivalence set 
being associated with the final level; 

means for generating a results table from entries in the final equivalence set; 

means for applying the network packet to the lookup tables associated with the 
first level to generate an outcome index; and 

means for applying the outcome index to the results table to determine a result 
that applies to the network packet. 

24. A computer readable media comprising: 

the computer readable media containing computer executable instructions for 
execution in a processor for the practice of the method of claim 1. 

25 . A computer readable media comprising: 

the computer readable media containing computer executable instructions for 
execution in a processor for the practice of the method of claim 9. 

26. A computer readable media comprising: 
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the computer readable media containing computer executable instructions for 
execution in a processor for the practice of the method of claim 12. 

27. A computer readable media comprising: 

the computer readable media containing computer executable instructions for 
execution in a processor for the practice of the method of claim 14. 
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